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What is claimed is: 



A firewall system for protecting a nerwtfrk element from access 
over a network to which the network element is attach^i^ the firewall system 
comprising: 

a firewall box; 

a first connection connecting/the network to the firewall box; 
a second connection connecting the firewall Jbpx to the network 

element; and 

at least one proxy^agent running 
an access request packet received over the first,, / 

network element, the at least one proxy agent initiating a connection to the network 
element on behalf of^he access request if the access request is authorized; wherein 



1 box for verifying that 
tion is authorized to access the 


^.^the- fiiewall box is a -s 



orm. 


2. JThe firewall system claimedjn claim 1 , wherein trie firewall box 


dedicated to a firewall application. 


3. The firewall system claimed in claim 1, ^herein the firewall box 
is a general purpose computer. 

4. The firewall system claimed in^ claim 1 , wherein the firewall 
application comprises a plurality of proxy agents; each of the plurality of proxy agents 
being individually suited, in accordance witfj/a port number indicated in an incoming 
access request, for verifying the incoming access request. 


5. The firewalLsystem claimed in claim 1 , wherein the at least one 
proxy agent verifies that a source address associated with an incoming access request 
is authorized to access the network element. 
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3 I 

3 s : 


10 


6. The firewall system cJaimetTin pl^im 1, wherein the at least one 
proxy agent verifies that a user^ssdaated with ^g^iuyfimng access request is 
authorized to access^the^network element. 


The firewall s 



proxy^ agent prompts 


8. 

proxy agent prompts 
user name and pass 



The fi 


laimed in claim 6, wherein the at least one 
to enter a user name and verifies the user name entered. 

claimed in claim 6, wherein the at least one 
user name and a password and verifies the 



in 


9. The firewall system claii 
proxy agent, upon receiving and verifying the u: 
a second password to the^«ser using an out-ofctfand rm 
to be entered bylne user to advance a logon process. 


8, wherein the at least one 
'and password, communicates 
is, which second password is 


IT \ 10. The firewall system ciaimj 

password is a random number. 


15 11. The 

bstfulsjneiuiSuis-a 



claim 9, wherein the second 


all system claimed in claim 9, wherein the out-of- 


12-^Tne firewall ^system claimed in claim 1, wherein the at least one 
proxy agen>venfies that a tim ^peri gjo during which an incoming access request is 
is valid. / 



13. The firewall system' claimed in claim 1, wherein the at least one 
projty* agent verifies that an jncoming access request contains no executable commands 
ted to the firewall 
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14. The firewall system claimed in claim 1, wherein the at least one 
proxy agent verifies that a destination associated with an incoming access request is 
valid. 

15. The firewall system claimed in claim 14, wherein the at least 
one proxy agent verifies that a destination indicated an/incoming access request is 
valid for a user associated with the incoming access/request. 

16. The firewall system claimed in claim 1, wherein the at least one 
proxy agent addresses the network element Recording to an alias. 

17. The firewall syste'm claimed in claim 1, wherein the at least one 
proxy agent manages the connection/to the network element. 


1 8. The firewall system claimed in claim 1 , wherein the at least one 
^pcroty-agent-operates in a daemo n m ode : — 



19. The firewall systenvflaimed irpclaim 1, wherein the firewall 
system operates in a UNIX envipxfment and the^ulrast one proxy performs a 
Changeroot command prigp^to processing an incoming access request. 

20. The firewall system claimed in cl^int^l, wherein an operating 
stem of the firewall box performs packet filteprigT 

21. The firewal^s^stem claimed in claim 1, further comprising: 
a router attached between the firewall box and the public network, 

which router perfom^packet filtering. 
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22. The firewall system of claimj--ftnlh*§r comprising: 

a transaction logfpc-iecrjrcluig information regarding an access request. 


A firewall method for protecting a ntt>vork element from 
unauthorized access over a network to which the network element is attached, the 
method comprising the steps of: 

receiving an incoming access r^juest; thereafter 
assigning a proxy agent teethe incoming access request in accordance 
with a port number indicated in the^ncoming access request; thereafter 

verifying the authority of the incoming access request to access the 
protected netwcrk elemenfby using the prox^ag^nt as a verification means; and 
thereafter 

rsing the proxy agent to form a connection to the network element on 
behalf o^the incoming access request if the authority of the incoming access request is 



24. The firewall method claimed ir^daim 23, wherein an assigned 
6 V?6*y agent is selected from a plurality of projy^agents, each of the plurality of proxy 
agents being individually suited, in accordance with a port number indicated in an 
incoming access request, for verifying the incoming access request. 


25. The firewall method claimed in claim 23, wherein the step of 
verifying the authority/of the incoming access request includes: 

using the at least one proxy agent to verify that a source address 
associated with an incoming access request is authorized to access the network 
element 
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26. The firewall method claimed in claim 23, wherein the step of 
verifying the authority of the incoming access request incluc 

using the at least one proxy agent to determine the identity of a source 
of the incoming access request; 

using the at least one proxy agerrt to initiate a /irst^et of verification 
checks in response to a first identified source; and 

using the at least one^jfroxy agent to initiate a second set of verification 

checks in mi 


27. The firewall method claimed in claim 23, wherein the step of 
10 verifying the authority of the incoming a^cejs request includes: 

using the at^Jeast on proxy /gent to verify that a user associated with an 
incoming access request is authorized to access the network element. 


28. The firewall method claimed in claim 27, wherein the method 



rther comprises the steps of : 


name; and 


using the at least one proxy agent to prompt the user to enter a user 


verifying the authority of the user nanWentered. 


29. The firewall method claimed in claim 27, wherein the method 
further comprises the steps of: 
20 using the at least one proxy agent to prompt the user to enter a user 

name and a password; and 

verifying the authority of the user name and password entered. 
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30. The firewall method claimejMn claim 27, wherein the method 
further includes the steps of: 

using the at least or^froxy agent to commuhic^te a second password to 
the user using an out-of-b^ndmeans, which second password is to be entered by the 

is. 


31. The firewall method claimed in claim-30, wherein the second 



ord is a random number. 



32. Th^fifewall method claimed in claim 30, wherein the out-of- 
bands me^m s- is^fie eper. 




10 33. The firewall method claimed 

further comprises the step of: 

using the at leas^etfe proxy agent to 
whifh an incoming acqeSs request is received is vAlid 


m 23, wherein the method 


a time period during 


34. The firewall method claimed in claim 23 f> >tfnerein the step of 
rifying the authority of the incoming access request inch 

using the at least one proxy agent to verify that an incoming access 
request contains no executable commands. 


20 



35. The firewall method^ 1 aimed in claim 23, wherein the step of 
verifying the authority of the incomipg' access request includes: 

using the at leastpfie proxy agent to verify that a destination associated 
with an incoming access roouest is valid. 
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36. The firewall method claimed in claim 23, whpfein the step of 
verifying the authority of the incoming access request includes: 

using the at least one proxy agent to verify that ^destination indicated 
an incoming access request is valid for a user associated with pie incoming access 
5 request. 

37. The firewall method claimed in clafm 23, wherein the step of 
using the proxy agent to form a connection to the network element on behalf of the 
incoming access request includes: 

addressing the network element acceding to an alias. 

10 38. The firewall method clairjied in claim 23, wherein the at least 

one proxy agent operates in a daemon mode. 


39. The firewall method/claimed in claim 23, wherein the method is 
operates in a UNIX environment and th& method further includes the step of: 

having the at Teast one gfoxy perform a ChangerroFi^mlTiahd prior to 
processing an incoming access requf 


15 


40. The firew^ri method claimed in claim 23, wherein the method 
further includes the step of 

performing picket filtering on the incoming access request. 


20 step of: 


41. /The firewall method claimed in claim 23, further comprising the 


Jntaining a transaction log for recording information regarding an 









J 
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4^. A firewall system for protecting a network eminent from access 
over a network to which the network element is connected, the firewall system 
comprising: 

means for receiving an access request from a source device over the 

network; 

means for determining whether the source device is authorized to access 
the network element; and 

means for establishing a connection to the network element on behalf of 
the source device in the event that the source device /s authorized to access the 
network element; 

wherein the firewall system runs on 7 a stand alope/compuler connected 
between the network and the network element. 


- 31 - 



43. A firewall system as claimed in claim 42, wherein the 
determining means is a proxy agent assignee! to the incoming access request, in 
accordance with a port number indicated m the access request, to verify the authority 
of the source device to access - the network element. ~ "~ 


A method for controlling a computer to act as a firewall for 
protecting a first network element from unauthorized access through a second network 
element over a network to whict/the first network element is attached, the method 
comprising the steps of: 

receiving *n access request to access the first network element at the 

computer; 

assigning 2! proxy agent to the access request, based on a port number 
indicated within the access request, which proxy agent determines whether the first 
network element is authorized to access the second network element; and 
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using the proxy agent to establish a connection between the first and 
second network elements on behalf of the second network element if it is determined 
that the second network element is authorized to access the first network element 

* 

4^ A firewall process for operating a computer connected between 
a network and a network element to protect the network element from unauthorized 
access over the network, the firewall process comprising the steps of: 

receiving an access request from a source device over the network; 

determining whether the source device is authorized to access the 
network element; and 

establishing a connection between the source device and the network 
element on behalf of the source device, if the squrce device is determined to be 
authorized. 


An article of manufacture for use in a stand alone firewall 
computer to isolate a network element from' unauthorizttPaccess over a network to 
which the network element is attached, comprising/a/romputer-usable^medium having 
computer readable program code means/for causift^thp computer to: 

receive an incoming access request transmitted over the network; 
assign a proxy agent to the incoming access request, which assignment 
is performed in accordance with a port number associated with the incoming access 
request; 

use the proxy agent to determine whether the incoming access request is 
authorized to access the network element; and 

use the proxy /agent to establish a connection between the computer and 

the network element on benalf of the incoming access request if the incoming access 

/ fl - 

request is determined to^be authorized. 



